/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
if ($message === null) {
/*
* It's useful to have a Message attached to a
* ProtocolError, so we override the bad ns value to build
* a Message out of it. Kinda kludgy, since it's made of
* lies, but the parts that aren't lies are more useful
* than a 'None'.
*/
$old_ns = $query['openid.ns'];
$query['openid.ns'] = Auth_OpenID_OPENID2_NS;
$message = Auth_OpenID_Message::fromPostArgs($query);
return new Auth_OpenID_ServerError(
$message,
sprintf("Invalid OpenID namespace URI: %s", $old_ns));
}
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message,
"No mode value in message");
}
if (Auth_OpenID::isFailure($mode)) {
return new Auth_OpenID_ServerError($message,
$mode->message);
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
$this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'),
array($message, $this->server));
} else {
return $handlerCls;
}
}
/**
* @access private
*/
function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
if (Auth_OpenID::isFailure($return_to)) {
return $return_to;
}
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
return new Auth_OpenID_FailureResponse(null, "Response has no return_to");
}
$parsed_url = parse_url($return_to);
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
// Make sure all non-OpenID arguments in the response are also
// in the signed return_to.
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
foreach ($bare_args as $key => $value) {
if (Auth_OpenID::arrayGet($q, $key) != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value));
}
}
return true;
}
function test_overrideRequired()
{
// Be sure that caller CANNOT change the form charset for
// encoding type.
$m = Auth_OpenID_Message::fromPostArgs($this->postargs);
$tag_attrs = $this->form_tag_attrs;
$tag_attrs['accept-charset'] = 'UCS4';
$tag_attrs['enctype'] = 'invalid/x-broken';
$html = $m->toFormMarkup($this->action_url, $tag_attrs, $this->submit_text);
$this->_checkForm($html, $m, $this->action_url, $tag_attrs, $this->submit_text);
}
function setUp()
{
$this->store = new GoodAssocStore();
$this->consumer = new Auth_OpenID_GenericConsumer($this->store);
$this->consumer->discoverMethod = array($this, 'discoveryFunc');
$this->identifier = "http://idp.unittest/1337";
$this->server_url = "http://endpoint.unittest/";
$this->message = Auth_OpenID_Message::fromPostArgs(array('openid.ns' => Auth_OpenID_OPENID2_NS, 'openid.identity' => $this->identifier, 'openid.claimed_id' => $this->identifier, 'openid.op_endpoint' => $this->server_url));
$this->endpoint = new Auth_OpenID_ServiceEndpoint();
$this->endpoint->server_url = $this->server_url;
}
function index()
{
try {
$member = Member::currentUser();
if ($member) {
// user is already logged in
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
$consumer = Injector::inst()->get('MyOpenIDConsumer');
$query = Auth_OpenID::getQuery();
$message = Auth_OpenID_Message::fromPostArgs($query);
$nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce');
list($timestamp, $salt) = Auth_OpenID_splitNonce($nonce);
$claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'claimed_id');
error_log(sprintf('OpenStackIdAuthenticator : id %s - salt %s - timestamp %s', $claimed_id, $salt, $timestamp));
// Complete the authentication process using the server's response.
$response = $consumer->complete(OpenStackIdCommon::getReturnTo());
if ($response->status == Auth_OpenID_CANCEL) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_CANCEL', SS_Log::WARN);
throw new Exception('The verification was cancelled. Please try again.');
} else {
if ($response->status == Auth_OpenID_FAILURE) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE');
SS_Log::log('OpenStackIdAuthenticator : Auth_OpenID_FAILURE', SS_Log::WARN);
throw new Exception("The OpenID authentication failed.");
} else {
if ($response->status == Auth_OpenID_SUCCESS) {
error_log('OpenStackIdAuthenticator : Auth_OpenID_SUCCESS');
$openid = $response->getDisplayIdentifier();
$openid = OpenStackIdCommon::escape($openid);
if ($response->endpoint->canonicalID) {
$openid = escape($response->endpoint->canonicalID);
}
//get user info from openid response
$member = null;
list($email, $full_name) = $this->getUserProfileInfo($response);
if (!is_null($email)) {
//try to get user by email
$member = $this->member_repository->findByEmail($email);
}
if (!$member) {
// or by openid
$member = Member::get()->filter('IdentityURL', $openid)->first();
}
if ($member) {
$result = $member->canLogIn();
if ($result->valid()) {
$member->setIdentityUrl($openid);
$member->write();
$member->LogIn(true);
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
throw new Exception("Inactive User!");
}
throw new Exception("The OpenID authentication failed: can not find user " . $openid);
}
}
}
} catch (Exception $ex) {
Session::set("Security.Message.message", $ex->getMessage());
Session::set("Security.Message.type", "bad");
SS_Log::log($ex, SS_Log::WARN);
return $this->redirect("Security/badlogin");
}
}
function test_fromPostArgs_ns11()
{
// An example of the stuff that some Drupal installations send us,
// which includes openid.ns but is 1.1.
$query = array('openid.assoc_handle' => '', 'openid.claimed_id' => 'http://foobar.invalid/', 'openid.identity' => 'http://foobar.myopenid.com', 'openid.mode' => 'checkid_setup', 'openid.ns' => 'http://openid.net/signon/1.1', 'openid.ns.sreg' => 'http://openid.net/extensions/sreg/1.1', 'openid.return_to' => 'http://drupal.invalid/return_to', 'openid.sreg.required' => 'nickname,email', 'openid.trust_root' => 'http://drupal.invalid');
$m = Auth_OpenID_Message::fromPostArgs($query);
$this->assertTrue($m->isOpenID1());
}
function test_verifyAssocMismatch()
{
// Attempt to validate sign-all message with a signed-list
// assoc.
$assoc_handle = '{vroom}{zoom}';
$assoc = Auth_OpenID_Association::fromExpiresIn(60, $assoc_handle, 'sekrit', 'HMAC-SHA1');
$this->store->storeAssociation($this->dumb_key, $assoc);
$signed = Auth_OpenID_Message::fromPostArgs(array('foo' => 'bar', 'apple' => 'orange', 'openid.sig' => "d71xlHtqnq98DonoSgoK/nD+QRM="));
$verified = $this->signatory->verify($assoc_handle, $signed);
$this->assertFalse($verified);
}
/**
* Given an HTTP query in an array (key-value pairs), decode it
* into an Auth_OpenID_Request object.
*/
function decode($query)
{
if (!$query) {
return null;
}
$message = Auth_OpenID_Message::fromPostArgs($query);
$mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
if (!$mode) {
return new Auth_OpenID_ServerError($message, "No mode value in message");
}
$handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode, $this->defaultDecoder($message));
if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
return call_user_func_array(array($handlerCls, 'fromMessage'), array($message, $this->server));
} else {
return $handlerCls;
}
}
/**
* @access private
*/
function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
return new Auth_OpenID_FailureResponse(null, "no openid.return_to in query");
}
$parsed_url = parse_url($return_to);
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
return true;
}
/**
* @access private
*/
function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
// modified by ben brown 2010-01-21
// for some reason the return url being specified is all jacked
//$return_to = preg_replace("/(.*?)\?.*/","$1",$return_to);
error_log("Looking at return to = {$return_to}");
if (Auth_OpenID::isFailure($return_to)) {
error_log("failing 1");
return $return_to;
}
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
error_log("failing 2");
return new Auth_OpenID_FailureResponse(null, "Response has no return_to");
}
$parsed_url = parse_url($return_to);
error_log("parsed url: {$parsed_url}");
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
error_log("failing 3");
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
error_log("failing 4");
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
// Make sure all non-OpenID arguments in the response are also
// in the signed return_to.
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
foreach ($bare_args as $key => $value) {
if (Auth_OpenID::arrayGet($q, $key) != $value) {
error_log("failing 5");
return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value));
}
}
return true;
}
